Protecting network ports

Related Links

WHEN JOHN FLISHER took the job of information technology managerat the North Carolina State Ports Authority two years ago, theagency was just finishing a major upgrade of its network.

'It was long overdue, and it worked out rathernicely,' Flisher said. However, 'we had no Webfiltering at all. It was an afterthought.'

Although it was an afterthought two years ago, protecting Webgateways has become an increasingly important priority forenterprises.

'The Web now represents the most targeted and exploitableattack surface in an organization's network,' said DougCamplejohn, chief executive officer of Mi5 Networks, whose Webgatesecurity appliance filters traffic for the ports authority.

Distributing malware through Web sites is a growing industry, ashackers, spammers and phishers transition from e-mail to Web sites,said Mark Sunner, chief security analyst at MessageLabs. Accordingto the company's latest threat intelligence report, 30.5percent of all malicious code found in Web traffic during May wasnew, and more than 1,300 sites hosting malware were discovered eachday. It is becoming more difficult to tell the good sites from thebad.

'Increasingly, they are legitimate sites that have beencompromised in some way,' Sunner said. An exploit, such asSQL injection, can redirect a Web browser to a server hostingmalicious code. 'As 2008 plays out, this is where we aregoing to be seeing an increase in activity.'

Flisher began searching for a tool that would, at a minimum,provide antivirus and spyware protection and URL filtering at theperimeter of the agency's network.

'We were looking for something to stick into' thedemilitarized zone, he said.

The authority chose a relatively small network that serves about200 users at the ports of Morehead City on Bogue Sound, Wilmingtonon the Cape Fear River, and an inland terminal at Charlotte. Thenetwork is built with Cisco Systems' Catalyst 4500 seriesrouters at its core, and Cisco 2960 and 3560 series switches at theperimeter. It uses wireless connections to track traffic throughthe ports and freight coming off and going onto ships. Withwireless access points, the network contains about 400 nodes.

The slump in the U.S. housing market has slowed the growth incargo volume moving through the ports. But overall, volume was up 6percent in fiscal 2007 and up 17 percent for container volume. TheVoyagerTrack Terminal Operating System is the primary applicationthe ports use on the network. The Terminal Operating System wentinto operation in August 2007, replacing the previous e-Cargo ToolsContainer Tracking System for container transactions at Wilmingtonand Charlotte.

'One big thing I liked was that they had botnetdetection,' Flisher said. It also had a simple hook to aLightweight Directory Access Protocol directory so that activitycould be tied to users. 'That accountability was something Iwas looking for.'

The latest release of Webgate, Version 4.0, adds controls formore than 100 applications and protocols, including instantmessaging, peer-to-peer, voice over IP and streaming media. It canidentify and monitor applications, allow or block them by productor category, and enforce security policies.

Flisher said he was pleased with the company's decision toadd application controls to the product. 'That'ssomething we've been asking for for a while,' hesaid.

Webgate features a Security Services Engine that usescharacteristics from the carrier industry to maximize speed andthroughput, Camplejohn said.

'On the Web, everything is about latency,' he said.Webgate does in-line inspection of all traffic in each direction atspeeds of 1 gigabit/ sec in its largest enterprise model to providelatency of less than 2 milliseconds. It works at the network layer,so 'we don't care what protocol they are trying touse.' Not all bad Web traffic is on Port 80. 'Althoughthey mostly come in from the Web, they have a lot of additionalbehaviors to send data back out.'

Webgate can handle as many as 30,000 users at the high end, andmultiple boxes can be managed centrally through a centralintelligence unit. The primary factor in the number of appliancesdeployed typically is network architecture, Camplejohn said. Theappliances can be deployed at each network site, or traffic can bebackhauled to a central location, which is the way the PortsAuthority is doing it for now.

'We have one box now' at a data center inWilmington, Flisher said. 'We're looking to get anotherone for Morehead City,' and eventually, he would like to haveone for the terminal in Charlotte. 'I don't want peopledependent on the connection here.'

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.